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Abstract 

We construct a strong extractor against quantum storage that works for every min-entropy k, has 
logarithmic seed length, and outputs Sl(fc) bits, provided that the quantum adversary has at most j3k 
qubits of memory, for any (3 < i. The construction works by first condensing the source (with mini- 
mal entropy-loss) and then applying an extractor that works well against quantum adversaries when the 
source is close to uniform. 

We also obtain an improved construction of a strong quantum-proof extractor in the high min-entropy 
regime. Specifically, we construct an extractor that uses a logarithmic seed length and extracts f2(n) bits 
from any source over {0,1}™, provided that the min-entropy of the source conditioned on the quantum 
adversary's state is at least (1 — (i)n, for any (i < \. 

1 Introduction 

In the privacy amplification problem Alice and Bob share information that is only partially secret with re- 
spect to an eavesdropper Charlie. Their goal is to distill this information to a shorter string that is completely 
secret. The problem was introduced in (2) [Q for classical eavesdroppers. An interesting variant of the prob- 
lem, where the eavesdropper is allowed to keep quantum information rather than just classical information, 
was introduced by Konig, Maurer and Renner lfT31 . This situation naturally occurs in analyzing the security 
of some quantum key-distribution protocols and in bounded-storage cryptography |[T8l[T6ll . 

The shared information between Alice and Bob is modeled as a shared string x € {0, l} n , sampled 
according a distribution X. The information of the eavesdropper is modeled as a mixed state, p{x), which 
might correlated with x. 

The privacy amplification problem can be solved by Alice and Bob, but only by using a (hopefully short) 
random seed y, which can be public. Thus, Alice and Bob look for a function E : {0, 1}" x {0, 1}' —¥ 
{0, l} m that acts on their shared input x and the public random string y, and extracts "true randomness" 
for any "allowed" classical distribution X and side information p{X). More formally, E is an e-strong 
extractor for a family of inputs Q,, if for any distribution X and any quantum system p such that (X; p) G Q, 
the distribution YoE(X, Y)op is e-close to U op, where U denotes the uniform distribution. (See Section I2l2 
for precise details.) 

Clearly, no randomness can be extracted if, for every x, it is possible to recover x from the side informa- 
tion p(x). We say the conditional min-entropy of X with respect to p(X) is k, if an adversary holding the 
state p(x) cannot guess the string x with probability higher than 2~ k . Roughly speaking, if one can extract k 
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Table 1: Explicit quantum-proof (n, /c, e) strong extractors. To simplify parameters, the error e is a constant. 



almost uniform bits from a source X in spite of the side information p{X), then the state X o p(X) is close 
to another state with conditional min-entropy at least fcQ Thus, in a very concrete sense, the ultimate goal 
is finding extractors for sources with high conditional min-entropyH We say E is a quantum-proof (n, k, e) 
strong extractor if it extracts randomness from every input (X; p) with conditional min-entropy at least k. 

Not every classical extractoi^] is quantum-proof, as was shown by Gavinsky et al. ATI . On the positive 
side, several well-known classical extractors are quantum-proof. Table Q] lists some of these constructions. 
We remark that the best explicit classical extractors [13, 9, 8] achieve significantly better parameters than 
those known to be quantum-proof. 

A simpler adversarial model is the "bounded storage model" where the adversary may store a limited 
number of qubits. The only advantage of the bounded storage model for extractors is that it simplifies the 
proofs, and allows us to achieve results which currently we cannot prove in the general model. We say E is 
an (n, k, 6, e) strong extractor against quantum storage if it extracts randomness from every pair (X; p) for 
which X has at least k min-entropy and for every x, p(x) is a mixed state with at most b qubits. 

In this paper we work with a slight generalization of the bounded storage model. We say E is a quantum- 
proof (n, f,k,e) strong extractor for flat distributions if it extracts randomness from every input (X; p) for 
which X is a flat distribution (meaning it is uniform over its support) with exactly / min-entropy and the 
conditional min-entropy is at least k. In Lemma [24l we prove the easy observation that any quantum-proof 
(n, /, k, e) strong extractor for flat distributions is also a (n, f,f — k, e) strong extractor against quantum 
storage. 

We show a generic reduction from the problem of constructing quantum-proof (n, f,k,e) strong extrac- 
tors for flat distributions to the problem of constructing quantum-proof ((1 + a)f, /, k, e) strong extractors 
for flat distributions, and a similar reduction for the bounded storage model. In other words, in our model 
the quantum adversary may have two types of information about the source: first, it may have some classical 
knowledge about it, reflected in the fact that the input x is taken from some classical flat distribution X, and 
second, it holds a quantum state that contains some information about the source. The reduction shows that 
without loss of generality we may assume the classical input distribution is almost uniform. The reduction 
uses a purely classical object called a strong lossless condenser and extends work done in ll24l on extractors 
to quantum-proof extractors. This reduction holds for any setting of the parameters. 

We then augment this with a simple construction that shows how to obtain a quantum-proof ((1 + 
a)f, f,k= (1 —/?)/, e) strong extractor for flat distributions, provided that /3 < |. The argument here builds 

1 Such a source is said to have conditional smooth min-entropy k. 

2 A simple argument shows an extractor for sources with high conditional min-entropy is also an extractor for sources with high 
conditional smooth min-entropy. 

3 We refer to extractors that extract randomness when the side information is classical as classical extractors. 



2 



on work done in fl9l on composition of extractors and extends it to quantum-proof extractors. Together, 
these two reductions give: 

Theorem 1.1. For any (3 < \ and e > 2~ k ' 3 , there exists an explicit quantum-proof (n, k, (1 — (3)k, e) 
strong extractor for flat sources E : {0, l} n x {0, 1}* —> {0, l} m with seed length t = 0(log n + log e _1 ) 
and output length m = Q(k). 

Consequently, 

Theorem 1.2. For any (3 < ^ and e > 2~ kl3 , there exists an explicit (n, k, f3k, e) strong extractor against 
quantum storage, E : {0, l} n x {0, 1}* — > {0, l} m , with seed length t = 0(logn + loge -1 ) and output 
length m = Q(k). 

This gives the first logarithmic seed length extractor against b quantum storage that works for every 
min-entropy k and extracts a constant fraction of the entropy, and it is applicable whenever b = (3k for 

f)<\. 

We would like to stress that in most practical applications, and in particular in cryptographic applications 
such as quantum key distribution, it is generally impossible to bound the size of the side information. For 
example, in quantum key distribution where extractors are used for privacy amplification, the conditional 
min-entropy of the source can be estimated by measuring the noise on the channel, whereas any estimate on 
the adversary's memory is an unproven assumption. Thus, an extractor proven to work only against quantum 
storage cannot be used in quantum key distribution protocols. We nevertheless feel that proving a result in 
the bounded storage model may serve as a first step towards solving the general question. 

In fact, the second component in the above construction also works in the general quantum-proof setting. 
Specifically, this gives an exuactor with seed length t = 0(log n + log e _1 ) that extracts O(n) bits from any 
source with conditional min-entropy at least (1 — (3)n for (3 < \. 

Theorem 1.3. For any (3 < i and e > 2 _n ' 3 , there exists an explicit quantum-proof (n, (1 — f3)n, e) strong 
extractor E : {0, l} n x {0, l} 4 — > {0, with seed length t = 0(logn + loge^ 1 ) and output length 
m = Q(n). 

The rest of the paper is organized as follows. Section[2]contains all the necessary preliminaries, including 
the formal definitions of min-entropy, quantum-proof extractors and extractors against quantum storage. In 
Section [3] we give the reduction which shows it is sufficient to construct extractors for sources with nearly 
full min-entropy, when working in the bounded storage or flat sources settings. In Section [4] we describe the 
construction of quantum-proof extractors when the conditional min-entropy is more than half, and give the 
proof of Theorem 1 1.31 The proofs of Theorems 11.11 and 1 1 . 21 are given in Section [5] 

2 Preliminaries 

Distributions. A disttibution D on A is a function D : A — > [0, 1] such that X^aeA^( a ) = !• ^ e 
denote by x~D sampling x according to the disttibution D. Let Ut denote the uniform disttibution over 
{0,1}*. We measure the distance between two distributions with the variational distance \D\ — D2I1 = 
I X^aeA l^i ( a ) — D2(a)\. The distributions D\ and D2 are e-close if \D± — D2I1 < e. 
The min-entropy of D is denoted by H^D) and is defined to be 

H OQ (D)= min -log(D(o)). 

a:D(a)>0 
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If i7oo(D) > k then for all a in the support of D it holds that D(a) < 2~ k . A distribution is flat if it is 
uniformly distributed over its support. Every distribution D with H^D) > k can be expressed as a convex 
combination J2 a i^i °f f at distributions {Di}, each with min-entropy at least k. We sometimes abuse 
notation and identify a set X with the flat distribution that is uniform over X. 

If X is a distribution over Ai and / : Ai — > A2 then f(X) denotes the distribution over A2 obtained 
by sampling x from X and outputting f(x). If X\ and X2 are correlated distributions we denote their joint 
distribution by X\o X2. If X\ and X2 are independent distributions we replace o by x and write X\ xl 2 . 

Mixed states. A pure state is a vector in some Hilbert space. A general quantum system is in a mixed state 
— a probability distribution over pure states. Let {pi,\4>i}} denote the mixed state where the pure state \<f>i) 
occurs with probability p^. The behavior of the mixed state {pi,\4>i)} is completely characterized by its 
density matrix p = J2iPi \ 4>i) i^il' i n the sense that two mixed states with the same density matrix have the 
same behavior under any physical operation. Notice that a density matrix over a Hilbert space % belongs 
to Hom(W, %), the set of linear transformation from % to Ti. Density matrices are positive semi-definite 
operators and have trace 1. 

The trace distance between density matrices p\ and p2 is \\p\ — P2\\ tr = \ Yli \^i\> where {Aj} are 
the eigenvalues of p\ — p2- The trace distance coincides with the variational distance when p\ and p2 are 
classical states (p is classical if it is diagonal in the standard basis). Similarly to probability distributions, 
the density matrices pi and p2 are e-close if the trace distance between them is at most e. 

A positive operator valued measure (POVM) is the most general formulation of a measurement in quan- 
tum computation. A POVM on a Hilbert space % is a collection {Fi} of positive semi-definite operators 
Fi : Hom(?^,?^) — > Hom("H,%) that sum-up to the identity transformation, i.e., Fi >z and Fi = I- 
Applying a POVM F = {Fi} on a density matrix p results in the distribution F(p) that outputs i with 
probability Tr(Fjp). 

A Boolean measurement {F, I — F} e-distinguishes p\ and p2 if \Tr(Fpi) — Tr(Fp2)| > £• 
We shall need the following facts regarding the trace distance. 

Fact 2.1. If \\pi — /02 1 1 tr = ^ ^en there exists a Boolean measurement that 5 -distinguishes p\ and p2- 

Fact 2.2. If p\ and P2 are e-close then £{p\) and £{p2) are e-close, for any physically realizable transfor- 
mation £. 

2.1 Min-entropy 

To define the notion of quantum-proof extractors we first need the notion of quantum encoding of classical 
states. 

Definition 2.1. Let X be a distribution over some set A. 

• An encoding of X is a collection p = {p(x)} xeA of density matrices. 

• An encoding p is a 6-storage encoding if p{x) is a mixed state over b qubits, for all x £ A. 

• An encoding is classical if p(x) is classical for all x. 
The average encoding is denoted by px = E x ~x[p(x)]. 

Next we define the notion of conditional min-entropy. The conditional min-entropy of X given p(X) 
measures the average success probability of predicting x given the encoding p(x). Formally, 
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Definition 2.2. The conditional min-entropy of X given an encoding p is 

H^X-p) = -logsup E [Tv(F xP (x))], 

F Xr^X 

where the supremum ranges over all POVMs F = {F x } xeA . 

We remark that there exists another definition of conditional min-entropy in the quantum setting, which 
is more algebraic in flavor. However, the two definitions are equivalent, as shown in ifTTl . 

Proposition 2.1 (HH Proposition 2]). If p is a b-storage encoding of X then H OQ (X; p) > H^X) — b. 

We shall need the following standard lemmas regarding min-entropy that can be found, e.g., in [21]. The 
first lemma says that cutting I bits from a source cannot reduce the min-entropy by more than £. 

Lemma 2.1. Let X = X\ 0X2 be a distribution over bit strings and p be an encoding such that (X; p) > 
k, and suppose that X2 is of length I. Let p' be the encoding of X\ defined by p'{x\) = E x ~(x\x-L=x-t) [p{ x )\ 
Then, H^Xi; p') > k — I. 

Proof: Given any predictor P' which predicts X\ from p' , we can construct a predictor P for X (from p) 
as follows: P simply runs P' to obtain a prediction for the prefix x\, and then appends it with a randomly 
chosen string from {0, l} e . Then, 

Pr [P(p(xi o x 2 )) = xi o x 2 ] = Pr [P'(p(xi o x 2 )) = x\] ■ 2" 

x\ox2^X xiox2^X 

= Pr [P'{p'{x 1 )) = Xl ] ■ 2-'. 

Thus, if H OQ (Xi] p') < k — I then there would have been a predictor which predicts X with probability 
greater than 2~ k and this cannot be the case since H oc (X; p) > k. ■ 

The second lemma says that if a source has high min-entropy, then revealing a short prefix (with high 
probability) does not change much the min-entropy. The lemma is a generalization of a well known classical 
lemma. 

Lemma 2.2. Let X = X\ 0X2 be a distribution and p be an encoding such that (X; p) > k, and suppose 
that Xi is of length i. For a prefix x\, let p xi be the encoding of X 2 defined by p Xl (x 2 ) = p{x\ o x 2 ). Call 
a prefix x\ bad if H QO (X2 \ X\ = x\\ p Xl ) < r and denote by B the set of bad prefixes. Then, 

Prpfi G B] < 2 l ■ 2 r ■ 2- k . 

Proof: Let the prefix x\ € B be the one with the largest probability mass. Then, Pr[Xi = x[] > Pr[Xi € 
B] ■ 2~ l . For any z G B, let A z denote the optimal predictor that predicts X2 from p z , conditioned on 
Xi = z. By the definition of min-entropy, for any z € B, 

E Pr[A z (p z (x 2 )) = x 2 ] > 2~ r . 

X2~(X2\Xi=z) 

In particular this holds for z = x[. 

Now, define a predictor P for X from p by 

P(p(x)) = x[o A x/i (p(x)), 
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that is, P simply "guesses" that the prefix is x[ and then applies the optimal predictor . The average 
success probability of P is 



E [Pt[P( P (x)) = x]] = E 



E 

X2~(X 2 \X 1 =X 1 ) 



^1,^ • Pr[A a ./ i (p a .#(x 2 )) = ^2 
Pr[A B #(p :B /(s2)) = z 2 ] 



= Pr[Xi = a^] • E 

x 2 ~(x 2 |a:i=x' 1 ) 

> Pr[Xi e 5] • 2 - ' • T r 

On the other hand, since H 00 (X; p) > k, the average success probability of P is at most 2~ k . Altogether, 
Pr[Xi € B] < 2 l ■ 2 r ■ 2~ k . ■ 



2.2 Quantum-proof extractors 

We now define the three different classes of extractors against quantum adversaries that we deal with in this 
paper. We begin with the most general (and natural) definition: 

Definition 2.3. A function E : {0, 1}™ x {0, 1}* — > {0, l} m is a quantum-proof (n, k, e) strong extractor if 
for every distribution X over {0, 1}™ and every encoding p such that Hoo^X; p) > k, 

\\U t o E(X, U t ) o p(X) - U t+m x p x \\ tr < e. 

We use o to denote correlated values. Thus, Ut ° E(X, Ut) o p(X) denotes the mixed state obtained by 
sampling x~X,y~Ut and outputting \y, E(x, y)) (y, E(x, y)\ ®p{x). Notice that all 3 registers are corre- 
lated. When a register is independent of the others we use x instead of o. Thus, Ut+m x Px denotes the 
mixed state obtained by sampling x^X, w~Ut+ m and outputting \w){w\ ®p(x). 

Next we define quantum-proof extractors for fiat distributions: 

Definition 2.4. A function E : {0, l} n x {0, 1}* — > {0, l} m is a quantum-proof (n, /, k, e) strong extrac- 
tor for flat distributions if for every flat distribution X over {0, l} n with exactly f min-entropy and every 
encoding p of X with H OQ (X; p) > k, 

\\U t o E(X, U t ) o p(X) - Ut +m x px\\ tT < e. 

We remark that in the classical setting every extractor for flat distributions is also an extractor for general 
distributions, since every distribution with min-entropy k can be expressed as a convex combination of flat 
distributions over 2 k elements. 

Finally we define extractors against quantum storage: 

Definition 2.5. A function E : {0,1}™ x {0,1}' — Y {0, l} m is an (n,k,b,e) strong extractor against 
quantum storage if for every distribution X over {0, 1}™ with H OQ (X) > k and every b-storage encoding p 
ofX, 

\\U t o E(X, U t ) o p(X) - Ut+m x p x \\ tl < e. 

The next lemma shows it sufficient to consider only flat distributions when arguing about the correctness 
of extractors against quantum storage. 
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Lemma 2.3. If E is not an (n, k, b, e) strong extractor against quantum storage then there exists a set X of 
cardinality 2 k and a b-storage encoding p such that E fails on (X; p), that is, 

\\U t o E(X, U t ) o p{X) - U t+m x px || te > e. 

Proof: We prove the contrapositive, i.e., we assume that E works for flat distributions of min-entropy 
exactly k and prove that it also works for general distributions with at least k min-entropy. 

Suppose X is a distribution with H oa (X) > k. Then X can expressed as a convex combination of 
flat distributions X{ each with H^Xi) = k. If p is a 6-storage encoding of X then it is also a 6-storage 
encoding of each of these flat distributions Xj. Thus, by assumption, 

\\U t a E(Xi,U t ) a p(Xi) - Ut+m x pxj tr < £• 

Now by convexity, 

\\U t o E(X, U t ) o - Ut+m x || fa < e, 
as desired. ■ 

Combining this with Proposition 12. 1 1 we get: 

Lemma 2.4. Every quantum-proof (n, f, k, e) strong extractor for flat distributions, is an (n, f,f — k, e) 
strong extractor against quantum storage. 

2.3 Lossless condensers 

Definition 2.6 (strong condenser). A mapping C : {0, l} n x {0, l} d — > {0, l} n arc (n, fci) -4- e (n', ^2) 
strong condenser /f/or every distribution X with k\ min-entropy, Ud C(X, Ud) is e-close to a distribution 
with d + A?2 min-entropy. 

One typically wants to maximize k^ and bring it close to k\ while minimizing n' (it can be as small as 
k\ + 0(log e -1 )) and d (it can be as small as log((n — k)/[n' — k)) + log e -1 + 0(1)). For a discussion of 
the parameters, see [3] Appendix B]. We call the condenser lossless if k2 = k\. 

The property of lossless condensers that we shall use is the following. 

Fact 2.3 ([23, Lemma 2.2.1]). Let C : {0,l} n x {0, l} d -> {0,1}"' be an (n,k) -> e (n',k) lossless 
condenser. Consider the mapping 

C : {0, 1}™ x {0, \} d -)■ {0, l} n ' x {0, \} d 

C'(x,y) = C(x,y) o y. 

Then, for every set X C {0, l} n of size \X\ < 2 k , there exists a mapping C" : {0, l} n x {0, l} d -4 
{0, 1}™ x {0, 1} « injective on X x {0, 1} a«<i agrees with C on at least 1 — e fraction of the set 
Xx{0,l} d 
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3 A reduction to full classical entropy 



A popular approach for constructing explicit extractors in the classical setting is as follows: 

• Construct an explicit extractor for the high min-entropy regime, i.e. for sources X distributed over 
{0, 1}" that have k min-entropy for some large k close to n, and, 

• Show a reduction from the general case to the high min-entropy case. 

In the classical setting this is often achieved by composing an extractor for the high min-entropy regime 
with a classical lossless condenser. Specifically, assume: 

• C : {0, l} n x {0, l} d — > {0, l} n is an (n, k) — > tl (n\ k) strong lossless condenser, and, 

• E : {0, l} d+n ' x {0, 1}* -S> {0, l} m is a (d + ri, d + k, e 2 ) strong extractor. 
Define EC : {0, l} n x ({0, l} d x {0, 1}*) -> {0, l} m by 

EC(x,( yi ,y 2 )) = E((C(x, yi ), yi ),y 2 ). 

In the classical setting, [24, Section 5] prove that EC is a strong (n, k, e\ + e 2 ) extractor. In this section 
we try to generalize this result to the quantum setting. We prove: 

Theorem 3.1. Let C and EC be as above. 

• If E is a quantum-proof (d + n' ,d + k, k 2 , e 2 ) strong extractor for flat distributions, then EC is a 
(n, k, k 2 , e = e 2 + 2ei) strong extractor for flat distributions. 

• IfE is a (d + n' ,d+k,d + b,e 2 ) strong extractor against quantum storage, then EC is an (n, k, b, e = 
e 2 + 2e\ ) strong extractor against quantum storage. 

The intuition behind the theorem is the following. When the condenser C is applied on a flat source, it is 
essentially a one-to-one mapping between the source X and its image C(X). Therefore, roughly speaking, 
any quantum information about x can be translated to quantum information about C(x) and vice-versa. To 
make this precise we need to take care of the condenser's seed, and this incurs a small loss in the parameters. 

We first prove the second item. 

Proof (second item): Assume, by contradiction that EC is not an (n, k, b, e = e 2 + 2ei) strong extractor 
against quantum storage. Then, by Lemma 1231 there exists a subset X C {0, l} n of cardinality 2 k and a 
6-storage encoding p of X such that, given this encoding, the output of the extractor EC is not e-close to 
uniform. That is, 

\\U t+ d ° EC(X, U t+ d) ° p{X) - Ut+d+m X px ||t r > £• 

In particular, by Fact 12.11 there exists some Boolean measurement that e-distinguishes the two distri- 
butions. Since the first two components are classical, we can represent this measurement as follows. For 
every y G {0, l} <+rf and z G {0, l} m there exists a Boolean measurement {F y,z ,I — F y,z } on the quantum 
component such that 



E [Ti(F^ EC ^p(x))} - E [Tr(F^ z p x )] 



> e. 



8 



We now show how this can be used to break the extractor E. Consider the set A = X x {0, 1} . By 
Fact 12.31 there exists a mapping D that is injective on A and agrees with the condenser on at least 1 — e\ 
fraction of A. Denoting B = D(A), it is clear that H OQ (B) >d + k. 

For (x, y) € B we define the encoding 

p'(x,y) = \yi){yi\ ®p(D*~{x,y)), 

where (x, yi) = D^ 1 {x, y) € A is the unique element such that D(x, y\) = (x, y), and D^(x, y) = x. 

Next, we define a measurement {F 1 ' 2 ' 2 , / — F^ 2 ' 2 } that given the input yi € {0, 1}', z € {0, l} m and 
p'(x, y) = \y\){y\\ ®p{x), sets y = (2/1,2/2) and applies the measurement {F y ' z ,I — F y ' z } on the quantum 
register p(x). 

Now, 



E \Tr(F 

fe~B, y 2 ~U t 



V2,E(b,y 2 ) 



x~X, y~U d+t 



< ei, 



since the flat distribution over £> is ei-close to the distribution obtained by sampling x € X, y\ € ?/</ and 
outputting (C(x, yi), yi). For the same reason, averaging over i? for F is almost as averaging over X for 
.F. Namely, 



E [TV(F 2 'Vb)] - E [Tr(i^< 2 p x )] 

y2,Z'~*'U y,z^U 



< 



fl- 



it follows that 



E 



[Tr(F 



-&y2,E{b,y 2 ) 



p'(b))]- E [TV(i^Vs)] 

1/2, 2~t/ 



> 



E [Tr^^^x))] - E [Tr[F»> z p x )] 

x~X, y~U y,z~U 



2ei > 



2ei 



£2- 



Clearly p' is a (d+6)-storage encoding of B. This contradicts the fact that E is a strong extractor against 
<i + b quantum storage. ■ 

We now prove the first item. 

Proof (first item): Assume, for contradiction, that EC is not a quantum-proof (n, k, k2, e) strong extractor 
for flat distributions. Then there exists a subset X C {0, l} n of cardinality exactly 2 k and an encoding p 
of X such that the conditional min-entropy is at least k 2 but given this encoding the output of the extractor 
EC is not e-close to uniform. The proof proceeds as before, defining the Boolean measurement F, the sets 
A and B, the encoding p' and the measurement F. If we can show that H^B] p') > k2 then we break the 
extractor E and reach a contradiction. Indeed: 

Claim 3.1. (£;//) > k 2 . 

Proof: Assume, for contradiction, that H ao (B; p') < k 2 . Then, there exists a predictor W such that 

Pi[W'(p'(b)) = b]>2- k \ 

Define a new predictor, W, that given p(x) works as follows. First W chooses y^Ud and runs W on 
\y)(y\ <S>p(x) to get some answer b. It then outputs Z? <_ (6). 
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The success probability of the predictor W is 



Pt[W( P (x)) 

x^X 



■r] 



Pr \D^{W\\y){y\®p{x)))=x] 

x~X,ye{0,l} d 



> 



Pr [W'(\y)(y\®p(x))=D(x,y)} 

x~X,y£{0,l} d 



Pr [W'(p'(b)) = b] > 2~ k \ 



This contradicts the fact that H OCJ (X; p) > fe- 



We remark that we do not know how to extend the proof to work with lossy condensers. 

4 An explicit quantum-proof extractor for the high-entropy regime 

In this section we describe a construction of a short-seed quantum-proof (n, k, e) strong extractor that works 
whenever k S> n/2. In the classical setting this scenario was studied in [3], developing and improving 
techniques from [19] and other papers. Here we only need the techniques developed in lfl9l . 

Intuitively, the extractor E that we construct works as follows. First, it divides the source to two parts of 
equal length. Since the min-entropy is larger than n/2, for almost any fixing of the first part of the source, 
the distribution on the second part has f2(n) min-entropy. Hence, applying an extractor E 2 on the second 
part results in output bits that are close to uniform. Since this is true for almost every fixing of the first part, 
these output bits are essentially independent of the first part of the source. Therefore, these output bits can 
serve as a seed for another extractor, E\, that is applied on the first part of the source. 

Formally, assume: 

• E x : {0, l} n/2 x {0, l} dl {0, l} mi is a quantum-proof (§,§-&, ei) strong extractor, and, 

• E 2 : {0, l} n/2 x {0, \} d2 {0, l} dl is a quantum-proof (§, k, e 2 ) strong extractor. 
Define E : {0, 1}" x {0, l} d ' 2 ->• {0, l} mi by 

E(x,y) = E 1 (x 1 ,E 2 (x 2 ,y)), 
where x = x± o x 2 and x\,x 2 G {0, l} 11 ^ 2 . 

Theorem 4.1. Let E\,E 2 and E be as above with k = S — b — loge -1 . Then E is a quantum-proof 
(n, n — b, e + ei + £2) strong extractor. 

Proof: Let X = X± o X 2 be a distribution on {0, l} n = {0, l} n/2 x {0, l} n/2 and p be an encoding 
such that H 00 (X; p) > n — b. For a prefix x\ £ {0, l}™^ 2 , let p Xl be the encoding of X 2 defined by 
Pxi(^2) = p{x\ x 2 ). A prefix x\ is said to be bad if H 00 (X 2 \ X\ = x\\ p xi ) < k. By Lemma [2721 the 
probability x\ (sampled from X\) is bad is at most 



-1 




= e. 
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Whenever x\ is not bad, H O0 (X2 \ X\ = x±; p Xl ) > k, that is, the extractor E 2 is applied on a distribu- 
tion with k min-entropy. Therefore, by the assumption on E 2 , its output is e2-close to uniform. That is, for 
every good x\, 

\\Ud 2 °xi oE 2 (X 2 ,Ud 2 ) ° Pxi(X 2 ) - U d2 0x1 o U dl o p Xl (X 2 )\\ tr < e 2 . 

Hence, the distribution U d2 o X\ o E 2 (X 2 , Ud 2 ) p(X) is (e + e2)-close to Ud 2 ° X\ o Ud 1 ° p(X). In 
particular, 

\\U d2 oE(X,U d2 ) op(X) - U d2+dl °Px\\tr 
= \\U d2 o E X {X U E 2 {X 2 , U d2 ))o p{X) - U d2+dl o px\\ tr 
< e + e 2 + \\U d2 o E 1 (X 1 ,U dl ) a p(X) - U d2+ d 1 Px\\ tl , 

where the last inequality follows from Fact 12. 21 

Since, H OQ (X; p) > n—b, by Lemma [2T] if we define an encoding p' of X^ by o'(x-\ ) = ~E Xr ^(x\x 1 =x 1 )[p( 
then H OQ (Xi; p') > n — b — n/2 = n/2 — b. Therefore, by the assumption on E\ we get 

\\E 1 (X 1 ,U dl ) op(X) - U mi ®p x \\ tI < ei, 

and thus 

\\U d2 oE(X,U d2 ) o P (X) - U d2+dl ®p x \\ tl < e + ei + e 2 . 



4.1 Plugging in explicit constructions 

We use Trevisan's extractor, which was already shown to be quantum-proof in (HE). Specifically, we use 
the following two instantiations of this extractor: 

Theorem 4.2 ([5]). For every constant 5 > 0, there exists E x : {0, 1}? x{0, l}° {log2(n/ei)) ->• {0, 1} (1_<5)( ^~ 
which is a quantum-proof (5, \ — b, ei) strong extractor. 

Theorem 4.3 (0). For every constants 71,72 > 0, there exists E 2 : {0,1}? x {0, l}° (log(ri/e2)) ->■ 
{0, l} k 71 which is a quantum-proof k, e 2 ) strong extractor, for k > n 12 . 

Plugging these two constructions into Theorem 14 . 1 1 gives Theorem 1 1 . 3 1 which we now restate. 

Theorem 11.31 For any /3 < |, 7 > and e > 2~ n<1 7) 2 , there exists an explicit quantum-proof (n,(l — 
/3)n, e) strong extractor E : {0, l} n x {0, 1}* — > {0, l} m , with seed length t = 0(log n + log e _1 ) and 
output length m = f2(n). 

Proof: We set ei = e 2 = e, b = fin, k = | — (3n — log e -1 , 72 = 5 = \ and 71 < 7. In order to apply 
Theorem 14. 11 we need to verify that the output length of E 2 is not shorter than the seed length of E\. This is 
indeed the case since 

k 1 -^ >{--f3n- nV) 1 ^ > n i-7 > 0(log 2 (-)). 

2 6 

The output length of E is \ {\ - (3)n = U(n). ■ 
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5 The final extractor for the bounded storage model 



We need the classical lossless condenser of lfl"3l . 

Theorem 5.1 ([ 13l). For every a > there exists an (n, k) — > t ((1 + a)k, k) strong lossless condenser C 
with seed length 0(log n + log e _1 ). 

Plugging the condenser C and the extractor E of Theorem 11.31 into Theorem 13.11 gives Theorem 11.21 
which we now restate. 

Theorem O For any f3 < ^ and e > 2 fc/3 , there exists an explicit (n, k, j3k, e) strong extractor against 
quantum storage, E : {0, l} ra x {0, 1}* — > {0, l} m , with seed length t = 0(logn + loge -1 ) and output 
length m = f2(fc). 

Proof: Let ( > be a constant to be fixed later. The extractor E from Theorem 1 1.3 1 when the source length 
is set to be 2(1— (3)(l — ()k, is a quantum-proof (2(1— (3)(l — ()k, (1 — /3)k, e) strong extractor. In particular, 
it is a (2(1 — j3)(l — ()k, k, (3k, e) strong extractor against quantum storage. Its output length is Q,(k). The 
theorem follows by applying Theorem l3.ll using the condenser of Theorem l5 . 1 1 with a = 2(1— (3)(1 — () — 1. 
Since j3 < | there is a way to fix ( such that a > 0. ■ 

Since Theorem 13.11 works in the more general model of flat distributions, and since the extractor from 
Theorem 11.31 already works in the most general setting, we get Theorem ll.il 

Theorem ll.il For any f3 < ^ and e > 2~ k ^ , there exists an explicit quantum-proof (n, k, (1 — f3)k, e) strong 
extractor for flat distributions, E : {0, l} n x {0, 1}* — » {0, with seed length t = 0(logn + loge -1 ) 
and output length m = Q(k). 

Acknowledgements. We thank Roy Kasher for pointing out an error in an earlier version of the paper. 
We thank Christopher Portmann for helpful comments. We thank the anonymous referees for many helpful 
suggestions that helped improve the paper. 

References 

[1] C.H. Bennett, G. Brassard, C. Crepeau, and U. Maurer. Generalized privacy amplification. IEEE 
Transactions on Information Theory, 41(6, Part 2):1915— 1923, 1995. 

[2] C.H. Bennett, G. Brassard, and J.M. Robert. Privacy amplification by public discussion. SI AM Journal 
on Computing, 17(2):210-229, 1988. 

[3] M. Capalbo, O. Reingold, S. Vadhan, and A. Wigderson. Randomness conductors and constant-degree 
expansion beyond the degree/2 barrier. In Proc. 34th ACM Symp. on Theory of Computing (STOC), 
pages 659-668, 2002. 

[4] M. Christandl, R. Renner, and A. Ekert. A Generic Security Proof for Quantum Key Distribution, 
2004. arXiv:quant-ph/0402131. 

[5] A. De, C. Portmann, T. Vidick, and R. Renner. Trevisan's extractor in the presence of quantum side 
information, 2009. arXiv:0912.5514. 



12 



[6] A. De and T. Vidick. Near-optimal extractors against quantum storage. In Proc. 42nd ACM Symp. on 
Theory of Computing (STOC), 2010. 

[7] Y. Dodis and A. Smith. Correcting errors without leaking partial information. In Proc. 37th ACM 
Symp. on Theory of Computing (STOC), pages 654-663, 2005. 

[8] Z. Dvir, S. Kopparty, S. Saraf, and M. Sudan. Extensions to the method of multiplicities, with applica- 
tions to kakeya sets and mergers. In Proc. 50th IEEE Symposium on Foundations of Computer Science 
(FOCS), pages 181-190. IEEE, 2009. 

[9] Z. Dvir and A. Wigderson. Kakeya sets, new mergers and old extractors. In Proc. 49th IEEE Symp. on 
Foundations of Computer Science (FOCS), pages 625-633, 2008. 

[10] S. Fehr and C. Schaffner. Randomness extraction via (5-biased masking in the presence of a quantum 
attacker. In Proc. Fifth Theory of Cryptography Conference (TCC), pages 465-481, 2008. 

[11] D. Gavinsky, J. Kempe, I. Kerenidis, R. Raz, and R. de Wolf. Exponential separations for one-way 
quantum communication complexity, with applications to cryptography. SIAM Journal on Computing, 
38(5):1695-1708, 2008. 

[12] O. Goldreich and A. Wigderson. Tiny families of functions with random properties: a quality-size 
trade-off for hashing. Random Structures & Algorithms, 1 1(4):315— 343, 1997. 

[13] V. Guruswami, C. Umans, and S. Vadhan. Unbalanced expanders and randomness extractors from 
Parvaresh-Vardy codes. Journal of the ACM, 56(4):l-34, 2009. 

[14] R. Impagliazzo, L. Levin, and M. Luby. Pseudo-random generation from one-way functions. In Proc. 
21st ACM Symp. on Theory of Computing (STOC), pages 12-24, 1989. 

[15] R. Konig, U. Maurer, and R. Renner. On the power of quantum memory. IEEE Transactions on 
Information Theory, 51(7):2391-2401, 2005. 

[16] R. Konig and R. Renner. Sampling of min-entropy relative to quantum knowledge, 2007. 
arXiv:07 12.4291. 

[17] R. Konig, R. Renner, and C. Schaffner. The operational meaning of min-and max-entropy. IEEE 
Transactions on Information theory, 55(9):4337-4347, 2009. 

[18] R. Konig and B. Terhal. The bounded-storage model in the presence of a quantum adversary. IEEE 
Transactions on Information Theory, 54(2):749-762, 2008. 

[19] N. Nisan and D. Zuckerman. Randomness is linear in space. Journal of Computer and System Sciences, 
52(l):43-52, 1996. 

[20] J. Radhakrishnan and A. Ta-Shma. Bounds for dispersers, extractors, and depth-two superconcentra- 
tors. SIAM Journal on Discrete Mathematics, 13(l):2-24, 2000. 

[21] R. Renner. Security of Quantum Key Distribution. PhD thesis, Swiss Federal Institute of Technology 
(ETH) Zurich, September 2005. available at http://arxiv.org/abs/quant-ph/0512258. 

[22] A. Srinivasan and D. Zuckerman. Computing with very weak random sources. SIAM Journal on 
Computing, 28(4): 1433-1459, 1999. 



13 



[23] A. Ta-Shma, C. Umans, and D. Zuckerman. Loss-less condensers, unbalanced expanders, and extrac- 
tors. In Proc. 33th ACM Symp. on Theory of Computing (STOC), 2001. 

[24] A. Ta-Shma, C. Umans, and D. Zuckerman. Lossless condensers, unbalanced expanders, and extrac- 
tors. Combinatorica, 27(2) :2 13-240, 2007. 

[25] M. Tomamichel, C. Schaffner, A. Smith, and R. Renner. Leftover hashing against quantum side infor- 
mation, 2010. arXiv: 1002.2436. 

[26] L. Trevisan. Extractors and pseudorandom generators. Journal of the ACM, 48(4):860-879, 2001. 



14 



